[em-bee]

i am not saying that the product owner should be able to veto without being overridden, just that they should have a right to be heard, and that their response needs to be considered.

i do realize that many businesses would rather hide any security issues instead of acknowledging them. so a simple "no" or no response from them would not be enough.

but the current situation where we get a CVE for anything that is not proven to be safe (when giving that proof is very expensive to make) is also not helpful.

the linux kernel and curl becoming their own CVE authority is a hack to work around a broken process.

[eviks]

Who would be able to override the product owner? If it's the party that files, then what changed?

[em-bee]

maybe a number of independent reviewers. kind of like we have reviewers for scientific papers,

except i would make the list of reviewers known and attached to the CVE like signoffs on patches, including reviewers that reject the claims. (actually, that should be done for papers as well, but that's a different discussion)

then you can evaluate the seriousness of any CVE not only by its assigned threat level but also by weighing who and how many people reviewed the claims.

further there could be review levels, also similar to how bug reports are handled: new/incoming, triage, verified/reproduced, closed/unreproducible, fixed.

that would allow further categorization and give people another way to evaluate if a CVE is serious.

[marcus0x62]

Within the existing system, I think MITRE should be able to override a CNA, but I don’t know that they can, just that they don’t appear to do so.